Abstract: Data processing systems and methods according to various embodiments are adapted for automatically detecting and documenting privacy-related aspects of computer software. Particular embodiments are adapted for: (1) automatically scanning source code to determine whether the source code include instructions for collecting personal data; and (2) facilitating the documentation of the portions of the code that collect the personal data. For example, the system may automatically prompt a user for comments regarding the code. The comments may be used, for example, to populate: (A) a privacy impact assessment; (B) system documentation; and/or (C) a privacy-related data map. The system may comprise, for example, a privacy comment plugin for use in conjunction with a code repository.

Abstract: In particular embodiments, a Cross-Border Visualization Generation System is configured to: (1) identify one or more data assets associated with a particular entity; (2) analyze the one or more data assets to identify one or more data elements stored in the identified one or more data assets; (3) define a plurality of physical locations and identify, for each of the identified one or more data assets, a respective particular physical location of the plurality of physical locations; (4) analyze the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations; (5) determine one or more regulations that relate to the one or more data transfers; and (6) generate a visual representation of the one or more data transfers based at least in part on the one or more regulations.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: In particular embodiments, a consent conversion optimization system is configured to test two or more test consent interfaces against one another to determine which of the two or more consent interfaces results in a higher conversion percentage (e.g., to determine which of the two or more interfaces lead to a higher number of end users and/or data subjects providing a requested level of consent for the creation, storage and use or cookies by a particular website). The system may, for example, analyze end user interaction with each particular test consent interface to determine which of the two or more user interfaces: (1) result in a higher incidence of a desired level of provided consent; (2) are easier to use by the end users and/or data subjects (e.g., take less time to complete, require a fewer number of clicks, etc.); (3) etc.

Abstract: In particular embodiments, a data processing consent management system may be configured to utilize one or more age verification techniques to at least partially authenticate the data subject's ability to provide valid consent (e.g., under one or more prevailing legal requirements) in order to collect, store, and or process the subject's personal data. For example, according to one or more particular legal or industry requirements, an individual (e.g., data subject) may need to be at least a particular age (e.g., an age of majority, an adult, over 18, over 21, over 13, or any other suitable age) in order to provide valid consent. Data processing systems may generate and store one or more consent records memorializing valid consent for data processing from data subjects in response to confirming that the data subject is old enough to provide such consent.

Abstract: A mobile application privacy analysis system is described, where the system scans a mobile device to identify files associated with a particular SDK and generates a tokenized name for the SDK. The tokenized name includes tokens representing the SDK vendor and one or more functions of the SDK. Using the tokenized name, the system then determines corresponding categories for each functionality token and score for each such category. Based on the scores, the system determines the most significant category and assigns that category to the SDK for use in privacy analysis. The system may also, or instead, determine a vendor category using the vendor token and assign that category to the SDK. Weighting factors may be applied to the scores for the categories associated with the functionality tokens and vendor tokens.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). For example, a first data asset may include any software or device (e.g., server or servers) utilized by a particular entity for such data collection, processing, transfer, storage, etc.

Abstract: Data stored on a data asset may be migrated to another data asset while maintaining compliance to applicable regulations. A data asset may experience a failure. Based on the type of data stored by that data asset and the applicable regulations, requirements, and/or restrictions that relate to a transfer of that type data from that data asset, a target data asset may be determined. The data stored on the data asset may then be transferred to the target data asset. The disclosed systems may use data models and/or data maps in determining the requirements for a data transfer and selecting target data assets.

Abstract: In various embodiments, a personal data processing system may require guardian consent (e.g., parental consent) for a data subject in order to collect, store, and or process the subject's personal data. The system may prompt the data subject to initiate a request for guardian consent or the system may initiate a request for guardian consent without initiation from the data subject (e.g., in the background of a transaction). In some embodiments, the system may require guardian consent when a data subject is under the age for valid consent for the particular type of personal data that will be collected as part of a particular transaction. Data processing systems may generate and store one or more consent records memorializing valid consent for data processing from data subjects and/or from guardians on their behalf (e.g., in the case of a minor data subject).

Abstract: In particular embodiments, computer-implemented data processing, systems, and method configured to: receive a request to initiate a transaction between an entity and a data subject, generate (i) a consent receipt for the transaction comprising at least a unique subject identifier and a unique consent receipt key and (ii) a unique cookie to identify the data subject's transaction initiated by the data subject, store the consent receipt for the transaction and the unique cookie, receive a data subject access request from the data subject, verify an identity of the data subject based at least in part on the unique cookie process the request, process the request by identifying one or more pieces of personal data associated with the data subject, and taking one or more actions based at least in part on the data subject access request.

Abstract: In particular embodiments, a Personal Data Deletion System is configured to: (1) at least partially automatically identify and delete personal data that an entity is required to erase under one or more of the conditions discussed above; and (2) perform one or more data tests after the deletion to confirm that the system has, in fact, deleted any personal data associated with the data subject. The system may, for example, be configured to test to ensure the data has been deleted by: (1) submitting a unique token of data through a form to a system; (2) in response to passage of an expected data retention time, test the system by calling into the system after the passage of the data retention time to search for the unique token.

Abstract: In particular embodiments, a computer-implemented data processing method for responding to a data subject access request comprises: (A) receiving a data subject access request from a requestor comprising one or more request parameters; (B) determining that the data subject is associated with a particular geographic location; (C) verifying that the data subject is associated with the particular geographic location; (D) in response to verifying that the data subject is associated with the particular geographic location, processing the request by identifying one or more pieces of personal data associated with the data subject; and (E) taking one or more actions based at least in part on the data subject access request, the one or more actions including one or more actions related to the one or more pieces of personal data.

Abstract: An application privacy analysis system is described, where the system obtains an application and analyzes it for privacy related data use. The system may determine privacy related activities of the application from established sources of such data and/or may decompile the application and analyze the resulting code to determine the privacy related activities of the application. The system may execute the application and monitor the communications traffic exchanged by the application to determine privacy related activities of the application. The system may store the results of such analyses for future reference.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for performing a process of procuring a vendor and sub-processes associated therewith, such as performing vendor risk assessments and providing training specific to the procurement of that particular vendor. Training requirements for the user procuring the vendor and/or for the vendor itself are determined and any deficiencies in current, valid training requirements are identified. Training to address any identified deficiencies is provided as part of the vendor procurement process. Training may be customized based on trainee and/or organization attributes to improve the effectiveness of such training.

Abstract: A consent receipt management system may, for example, be configured to track data on behalf of an entity that collects and/or processes persona data related to: (1) who consented to the processing or collection of personal data; (2) when the consent was given (e.g., a date and time); (3) what information was provided to the consenter at the time of consent (e.g., a privacy policy, what personal data would be collected following the provision of the consent, for what purpose that personal data would be collected, etc.); (4) how consent was received (e.g., one or more copies of a data capture form, webform, etc. via which consent was provided by the consenter); (5) when consent was withdrawn (e.g., a date and time of consent withdrawal if the consenter withdraws consent); and/or (6) any other suitable data related to receipt or withdrawal of consent.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for performing a process of procuring a vendor and sub-processes associated therewith, such as performing vendor risk assessments and providing training specific to the procurement of that particular vendor. Training requirements for the user procuring the vendor and/or for the vendor itself are determined and any deficiencies in current, valid training requirements are identified. Training to address any identified deficiencies is provided as part of the vendor procurement process. Training may be customized based on trainee and/or organization attributes to improve the effectiveness of such training.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for mapping various questions regarding a data breach from a master questionnaire to a plurality of territory-specific data breach disclosure questionnaires. The answers to the questions in the master questionnaire are used to populate the territory-specific data breach disclosure questionnaires and determine whether disclosure is required in territory. The system can automatically notify the appropriate regulatory bodies for each territory where it is determined that data breach disclosure is required.

Abstract: In various embodiments, a data processing consent capture system may be configured to prompt the data subject to consent to one or more types of data processing (e.g., to provide a desired consent) in response to identifying particular cookies (e.g., or types of data processing) that a data subject has not consented to. The system may, for example, substantially automatically prompt the data subject to consent for one or more particular types of data processing in response to determining that the user (e.g., data subject) has requested that a website or other system perform one or more functions that are not possible without a particular type of consent from the data subject. The system may, for example, prompt the user to consent in time for a certain interaction with the website, application, etc.